ICSA-20-070-01_Siemens and PKE SiNVR/SiVMS Video Server (Update B)

🗓️ 13 Apr 2021 00:00:00Reported by Industrial Control Systems Cyber Emergency Response TeamType

ics🔗 www.cisa.gov👁 113 Views

Siemens and PKE SiNVR/SiVMS Video Server (Update B), vulnerabilities include Cleartext Storage, Path Traversal, and Weak Cryptography for Passwords. Unauthorized access possible

Reporter	Title	Published	Views	Family All 141
BDU FSTEC	The vulnerability of the FTP service (default ports 21/tcp and 5411/tcp), which is used by the SiNVR 3 video server, allows a hacker to gain access to protected information.	26 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the streaming service (default port 5410/tcp) of the SiNVR 3 video server, which allows a perpetrator to gain access to protected information.	26 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the streaming service (default port 5410/tcp) of the SiNVR 3 video server, which allows a intruder to cause a service failure.	26 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the streaming service (default port 5410/tcp) of the SiNVR 3 video server, which allows a perpetrator to gain access to protected information.	26 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the central control server of SiNVR 3 Central Control Server (CCS) arises from an incorrect path name limitation in the web interface download section, which allows a hacker to gain access to the server’s file system, enabling them to download files from the server and copy files from the server.	29 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the Central Control Server (CCS) and the Video Server of Siemens’ SiNVR 3 solution, related to the unencrypted storage of user credentials, allows a intruder to gain unauthorized access to users’ credentials.	29 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the central control server of SiNVR 3 allows a hacker to read or modify the database of the central control server, as well as perform operations on the databases or operating system commands with administrator privileges.	29 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the central control server of SiNVR 3 Central Control Server lies in the lack of measures for cleaning incoming data. This allows a intruder to gain unauthorized access to protected information or perform arbitrary actions on the vulnerable device.	29 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the Central Control Server (CCS) and the Video Server of Siemens’ SiNVR 3 solution, related to the lack of measures for cleaning input data, allows a intruder to inject malicious code into the web application of the Central Control Server.	29 May 202000:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the central control server of SiNVR 3 Central Control Server lies in security flaws in the XML-based communication protocol, allowing attackers to perform arbitrary actions on the vulnerable device.	29 May 202000:00	–	bdu_fstec

Source	Link
cert-portal	www.cert-portal.siemens.com/productcert/csaf/ssa-761844.json
cert-portal	www.cert-portal.siemens.com/productcert/html/ssa-761844.html
cert-portal	www.cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf
cert-portal	www.cert-portal.siemens.com/productcert/txt/ssa-761844.txt
raw	www.raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-20-070-01.json
cisa	www.cisa.gov/news-events/ics-advisories/icsa-20-070-01
cisa	www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
cisa	www.cisa.gov/resources-tools/resources/ics-recommended-practices
cisa	www.cisa.gov/topics/industrial-control-systems
us-cert	www.us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

13 Apr 2021 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 27.5

CVSS 3.19.8 - 9.9

EPSS0.00896

SSVC